For years Umbraco has been a delight to work with as a programmer. And ever since Umbraco 7, things are looking amazing for editors as well. Functionality is added and expanded faster and faster. Despite this however, there is a single sore thumb that keeps sticking out for me: the User Management-section.
Security is becoming ever more important and crucial in the daily lives of us developers. This is reflected in development with regards to online security. Not only that, but it is becoming more and more essential to make the security of your CMS as good as possible to be taken serious by bigger organisations. At the same time, however, we do not want to lose Umbraco’s user-friendly touch.
The security within Umbraco is, as far as I’m concerned, handled pretty well and the User section is okay as it is today. But with a little TLC, we could turn this section into something amazing. Out of curiosity, I compared one of our oldest (live) Umbraco installations (v 4.0.3) with the latest (v 7.2.8). Between these two versions the User section hardly changed at all.
I realise that usually the major changes and suggestions come from the Umbraco HQ. But, with all the ideas floating around in my head I decided to step up and come forward with a proposal myself.
Tell me about your ideas!
Let’s start at the beginning. The past couple of years there has been a lot of discussion regarding the User Management in Umbraco. A lot of issues have been reported and numerous discussions have been had (including Open Space sessions and talks at our.umbraco.org). These discussions however, have always been isolated items making it difficult to use them to make something concrete. I have tried to read as many of these conversations as I could and analysed them to help shape my ideas. Since I’m only allowed 2.000 words in which to share my ideas with you, I have created a clickable mockup. As they say, a picture says more than a thousand words. In producing this mockup, the one thing I considered while shaping this idea was the most important target audience: the user.
The focus is primarily aimed at the User section, the login screen, a follow-up screen to the login screen and the setting of user rights (on doc-, media- and member-types). There are, of course, a lot more details to discuss. To me however, these are of secondary concern.
Show me the candy!
To start, it is easiest to just click your way around the mock-up. Keep in mind that is just a simple and static HTML site meant to help convey my thoughts. I have tried to leave out buttons that could be distracting where possible. You can find the mock-up at: http://umbraco.usermanagement.perplex.eu/logon.html. Below I have tried to explain what I want to achieve per section.
The user section
This is where the most changes have been.
- General settings. Here you can change a multitude of settings;
- A general password policy. Two important items have been added compared to default implementation. These are "Password aging" and (less important) "Password history." In the previously mentioned site I haven’t changed my password for over six years. No one has ever forced me to and like any lazy user that means I haven't. Adding something as simple as password aging will increase security immensely.
- The option to require Two factor authentication. Then, even if someone gets a hold of a user's password they would still need a second authentication method (a.k.a. "Something you know" and "Something you have"). The mock-up has four example options, but these could be extendable with other options.
- The logging of lockouts and ability to set/unset lockouts.
- Settings to send emails when there is suspicious activity regarding an account. At Perplex we have more than 80 different Umbraco websites in production. It is simply not possible to keep track of everything for all of these installations. A simple notification when an account is locked out or when someone clicked the "forgot password" link would be a good indication for possible suspicious behaviour. In my opinion this would help make things much smoother and more clear for administrators this way.
- A simple way to set up IP-restrictions. This is one of the most important layers of defense. You can instantly keep entire groups away from your back-end. Added bonus is that with this setting, an administrator no longer needs knowledge of IIS. Do keep in mind that there should be a way to prevent you from locking out yourself.
- Logging for not only all login attempts but also every change in the user section. You want to know who changed a password policy and when.
- Individual users. It is no longer possible to set a "startnode" per user; this is only possible at group level. I am still torn regarding this decision, so I would like to hear what others think about this so we can possibly find a better solution together. New here is the ability to designate groups to a user, the ability to (finally) upload your own image instead of the gravatar image as well as setting the time zone of the user. In an ideal world, I would also like to see the ability to add extra properties to a user (like one can do with members). This way it would be possible to add things such as phone numbers (for sms/text-verification), birthdays, etc. Also included should be the ability to set up and see details regarding the locking of accounts and user activity. The two-factor authentication options set by the user can also be checked here.
- User types. Besides the existing permission settings there are other things that could require permission. A good example is the recycle bin in both the content and media sections. This is basically a simple extension of the existing User Type section.
- Individual User group. A long cherished wish of many Umbracians: the ability to set up User groups. This way the creating of multiple users, with the same Umbraco permissions, will become much simpler while reducing the possibility of errors. By using these groups, the old "User Permission" section can be dropped in its entirety. This section was, in my opinion, way too complex and badly maintained. Besides, in the end a generic permission system is always better than a system build for individual settings.
A subtle change is the ability to select multiple start nodes. There are quite a few scenarios where a user would need access to multiple nodes (for example a news- and blog-section), that aren't bundled together in the tree. I realise that this would present a challenge when rendering the content tree; but as stated before, limitations and challenges will be ignored for the purpose of this post.
Another idea is to add the ability to set the allowed Create, Read, Update and Delete-actions on document-types and media-types for each user group. This would make maintaining a lot easier. Adding this could possibly even make the idea of multiple start nodes redundant. The final tab called Other has the same functionality, extrapolated to include every section of Umbraco.
The logon window
The login window and follow up pages. Considering this is a static HTML mock-up, it will show a section with three buttons after pressing the "Login" button. This is done to simulate the possible actions available.
The most important change is of course the "Forgot password" link. Upon clicking it and entering the correct e-mail address, an e-mail will be sent to the user. This e-mail will contain a link (and not a new password). Visiting this link within the hour (adjustable), will allow the user to generate a new password.
In the event Two-factor authentication has been enabled but the user hasn't activated this for his account yet, the user will be asked to set up his desired method and verify it when logging in for the first time (http://umbraco.usermanagement.perplex.eu/logonfirsttime.html). This process will differ depending on the chosen authentication method and as such, has not been included in the mock-up.
With subsequent logins, the user will have to enter the code provided by the chosen method (http://umbraco.usermanagement.perplex.eu/logontwofactor.html). There should also be an option to allow the user to mark the computer as a "trusted" login location to allow him to skip the two-factor authentication on that specific computer for some time. This is a bit of user friendliness to prevent a user from having to use this method constantly. In the user section it should be possible to view which computers are marked as trusted for the user as well as removing said computer from the users list of trusted locations.
And finally, a user should be actively forced to change his password (http://umbraco.usermanagement.perplex.eu/logonchangepassword.html) when the password has exceeded the given password age or when it no longer matches the password policy. The advantage of this approach is that it will allow you to easily tighten your password policy on existing installations. When Umbraco detects a password that no longer matches the given policy, it will redirect the user to this screen.
The setting section
The doctype-editor. In this editor, there will be the possibility to determine who is allowed to see and update specific tabs. It is relatively simple to hide specific tabs for certain users allowing you to easily set up which groups can read and update data on a specific tab. Furthermore, there should be the option to set the CRUD-actions for the doctype here as well. This tab would be the same as the one in the Usergroup section. But with this implementation, you do not force a user to jump between sections.
What's next?
The goal of this blog is twofold:
-
First off, I hope my propositions and ideas will lead to improving the User section. I have done my best to make this idea as concrete as possible and I hope we could at least agree about 80% of the functionality described. I hope that this proposition is a solid vantage point to start from. The important part is to reach consensus about what we wish to achieve. How we should implement all of this, however, is a discussion for another time.
-
Secondly, I hope to receive feedback from others, including Umbraco HQ. What are their plans? What do they wish to implement? And what do they believe should be picked up by the community? If according to their timeline an extensive rework of the user section is not planned anytime soon, there is the option to decide to take matters into our own hands. I am more than willing to develop this myself as a separate package. The ability to review and set user policies, logging, sending of emails and two-factor authentication should be relatively easy to offer in a stand alone package with its own membership provider. Such a package would not likely contain the proposed changes around User groups, however, as this would probably require drastic changes in the core layers of Umbraco which is more a task for HQ.
Hopefully this article provides a good outlook to start off a discussion in the community that will signal changes with regards to user management. I have invested a lot of time in the research and writing of this article, so I hope that you, the reader, are willing to invest a moment of your time to let me know what you think. Do you agree? Or do you think I am completely missing the point?
What did I not cover?
-
(Azure) Active Directory Integration
-
The members section. My proposal is totally focused on users
- The accompanying HTML is no work of art. It is merely meant to help show and explain the ideas I wish to share. For some sections, a different datatype/display should probably be chosen (Datatype "Country restriction") and some dependencies should be worked in in a tidy fashion (tab "IP restriction")
Sources / Related Issues / Forum posts
Umbraco issues (issues.umbraco.org) related to User Management that have the status “open”:
- U4-222 Forgotten password link http://issues.umbraco.org/issue/U4-222
- U4-7009 Changing passwords design oversight http://issues.umbraco.org/issue/U4-7009
- U4-6929 User permissions security issues http://issues.umbraco.org/issue/U4-6929
- U4-6878 Feature Request V7: Add Login Events http://issues.umbraco.org/issue/U4-6878
- U4-6685 Enhance User managementhttp://issues.umbraco.org/issue/U4-6685
- U4-241 User permissions on sections http://issues.umbraco.org/issue/U4-241
- U4-12 Security is based on groups not individuals - Users can be assigned to multiple groups http://issues.umbraco.org/issue/U4-12
- U4-5615 User permissions keep checkboxes checked if user has access http://issues.umbraco.org/issue/U4-5615
- U4-6137 How do I recover section if I disable users section for admin by mistake? http://issues.umbraco.org/issue/U4-6137
- U4-5766 Administrator can disable Umbraco access for himself http://issues.umbraco.org/issue/U4-5766
- U4-5668 Backend user not extendable http://issues.umbraco.org/issue/U4-5668
- U4-5465 New user welcome emails http://issues.umbraco.org/issue/U4-5465
- U4-5447 Changing password for other users is labeled "change your password" http://issues.umbraco.org/issue/U4-5447
- U4-5226 v7 If user is disabled, no proper feedback provided at login http://issues.umbraco.org/issue/U4-5226
- U4-2111 Default user language is English (UK) while default Umbraco language is English (US) http://issues.umbraco.org/issue/U4-2111
- U4-3791 Feature Request: Umbraco User/Site Timezones http://issues.umbraco.org/issue/U4-3791
- U4-3672 Users can't change profile image in the Umbraco UI http://issues.umbraco.org/issue/U4-3672
- U4-2877 Custom sections with start node ID http://issues.umbraco.org/issue/U4-2877
- U4-2599 Enabling/Disabling Active Directory-Backed Users http://issues.umbraco.org/issue/U4-2599
- U4-2598 Menu Option to Re-Enable Disabled Users http://issues.umbraco.org/issue/U4-2598
- U4-2474 Remove caching for user permissions http://issues.umbraco.org/issue/U4-2474
- U4-80 Read only rights http://issues.umbraco.org/issue/U4-80
- U4-2252 read only access to content nodes http://issues.umbraco.org/issue/U4-2252
- U4-1841 Add an audit trail to users http://issues.umbraco.org/issue/U4-1841
- U4-707 Users and content access - improvement suggestion http://issues.umbraco.org/issue/U4-707
- U4-198 One suggestion: Let default admin user can access to User section any time no matter the user can access to User section(4.7.1 beta). http://issues.umbraco.org/issue/U4-198
- U4-107 Create folders in User section http://issues.umbraco.org/issue/U4-107
- U4-94 Feature request: Make it possible to create folders in the "user" section http://issues.umbraco.org/issue/U4-94
A lot of our.umbraco.org posts (just a subset of relevant topics)
- (Azure) Active Directory questions
- IP-lock issues
- https://our.umbraco.org/forum/core/general/66515-cg15-open-space-umbraco-security-model
Related backoffice extensions (still working or not :) )
- Usergroup permissions https://our.umbraco.org/projects/backoffice-extensions/usergroup-permissions
- User group permissions https://our.umbraco.org/projects/backoffice-extensions/user-group-permissions/
- OAuth Login to Umbraco Backend https://our.umbraco.org/projects/backoffice-extensions/oauth-login-to-umbraco-backend/
- Back Office Password Reset https://our.umbraco.org/projects/backoffice-extensions/back-office-password-reset/
- Active Directory Backend Users https://our.umbraco.org/projects/backoffice-extensions/active-directory-backend-users/
- Edit Umbraco User Dashboard https://our.umbraco.org/projects/backoffice-extensions/edit-umbraco-user-dashboard/
- Umbraco Active Directory Authentication https://our.umbraco.org/projects/backoffice-extensions/umbraco-active-directory-authentication/
- AttackMonkey Security Helper https://our.umbraco.org/projects/backoffice-extensions/attackmonkey-security-helper/
- AttackMonkey Tab Hider https://our.umbraco.org/projects/backoffice-extensions/attackmonkey-tab-hider/
- Protected properties https://our.umbraco.org/projects/backoffice-extensions/protected-properties/
- Admin User Change Password https://our.umbraco.org/projects/backoffice-extensions/admin-user-change-password/
A look at the competition and other references:
- http://installatron.com/wordpress/demo/backend
- http://installatron.com/drupal/demo/backend
- http://installatron.com/joomla/demo/backend
- https://lastpass.com/f?11768156 . LastPass
- Active Directory Settings in Windows Server 2012
- https://msdn.microsoft.com/en-us/library/aa478949.aspx
- Harris, Shon (2013). CISSP exam Guide. (Sixth edition). McGraw-Hill Education. Pp. 174 – 198.
- Drapkin, Stan (2013, October). Security Driven .NET. Retrieved 02-10-2015, from http://securitydriven.net/
- https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet